appdir := $(contextpath)
user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
- appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context) $(contextpath)/files/media $(user_default_contexts_names)
-appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names)
++appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context) $(contextpath)/files/media $(user_default_contexts_names)
net_contexts := $(builddir)net_contexts
all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
# Client local policy
#
- tunable_policy(`sepgsql_enable_users_ddl',`
- allow $2 user_sepgsql_schema_t:db_schema { create drop setattr };
- allow $2 user_sepgsql_table_t:db_table { create drop setattr };
- allow $2 user_sepgsql_table_t:db_column { create drop setattr };
- allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete };
- allow $2 user_sepgsql_seq_t:db_sequence { create drop setattr set_value };
- allow $2 user_sepgsql_view_t:db_view { create drop setattr };
- allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr };
- ')
+
+ allow $2 user_sepgsql_schema_t:db_schema { getattr search add_name remove_name };
+ type_transition $2 sepgsql_database_type:db_schema user_sepgsql_schema_t;
+
allow $2 user_sepgsql_table_t:db_table { getattr use select update insert delete lock };
allow $2 user_sepgsql_table_t:db_column { getattr use select update insert };
allow $2 user_sepgsql_table_t:db_tuple { use select update insert delete };
allow $2 sepgsql_trusted_proc_t:process transition;
type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
-
+
+ tunable_policy(`sepgsql_enable_users_ddl',`
++ allow $2 user_sepgsql_schema_t:db_schema { create drop setattr };
+ allow $2 user_sepgsql_table_t:db_table { create drop setattr };
+ allow $2 user_sepgsql_table_t:db_column { create drop setattr };
+ allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete };
++ allow $2 user_sepgsql_seq_t:db_sequence { create drop setattr set_value };
++ allow $2 user_sepgsql_view_t:db_view { create drop setattr };
+ allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr };
+ ')
')
########################################
type_transition $1 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
allow $1 sepgsql_trusted_proc_t:process transition;
++<<<<<<< .merge_file_hr5C3y
++=======
+ tunable_policy(`sepgsql_enable_users_ddl',`
+ allow $1 unpriv_sepgsql_schema_t:db_schema { create drop setattr };
+ allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr };
+ allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr };
+ allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete };
+ allow $1 unpriv_sepgsql_seq_t:db_sequence { create drop setattr };
+ allow $1 unpriv_sepgsql_view_t:db_view { create drop setattr };
+ allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr };
+ ')
+ allow $1 unpriv_sepgsql_schema_t:db_schema { getattr add_name remove_name };
+ type_transition $1 sepgsql_database_type:db_schema unpriv_sepgsql_schema_t;
+
++>>>>>>> .merge_file_bHSs2v
allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update insert delete lock };
allow $1 unpriv_sepgsql_table_t:db_column { getattr use select update insert };
allow $1 unpriv_sepgsql_table_t:db_tuple { use select update insert delete };
manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
- files_tmp_filetrans(ipsec_t, ipsec_tmp_t, { dir file })
+ files_tmp_filetrans(ipsec_t, ipsec_tmp_t, { dir file })
+manage_dirs_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
-files_pid_filetrans(ipsec_t, ipsec_var_run_t, { file sock_file })
+files_pid_filetrans(ipsec_t, ipsec_var_run_t, { dir file sock_file })
can_exec(ipsec_t, ipsec_mgmt_exec_t)
files_read_etc_files(setkey_t)
init_dontaudit_use_fds(setkey_t)
+init_read_script_tmp_files(setkey_t)
# allow setkey to set the context for ipsec SAs and policy.
- ipsec_setcontext_default_spd(setkey_t)
+ corenet_setcontext_all_spds(setkey_t)
locallogin_use_fds(setkey_t)
seutil_read_config(setkey_t)
userdom_use_user_terminals(setkey_t)
+userdom_read_user_tmp_files(setkey_t)
+
files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
+manage_dirs_pattern(mount_t,mount_var_run_t,mount_var_run_t)
+manage_files_pattern(mount_t,mount_var_run_t,mount_var_run_t)
+files_pid_filetrans(mount_t,mount_var_run_t,dir)
+files_var_filetrans(mount_t,mount_var_run_t,dir)
+
+# In order to mount reiserfs_t
+kernel_dontaudit_getattr_core_if(mount_t)
+kernel_list_unlabeled(mount_t)
+kernel_mount_unlabeled(mount_t)
+kernel_unmount_unlabeled(mount_t)
kernel_read_system_state(mount_t)
+kernel_read_network_state(mount_t)
kernel_read_kernel_sysctls(mount_t)
-kernel_dontaudit_getattr_core_if(mount_t)
+kernel_manage_debugfs(mount_t)
+kernel_setsched(mount_t)
+kernel_use_fds(mount_t)
+kernel_request_load_module(mount_t)
kernel_dontaudit_write_debugfs_dirs(mount_t)
kernel_dontaudit_write_proc_dirs(mount_t)
+ # To load binfmt_misc kernel module
+ kernel_request_load_module(mount_t)
# required for mount.smbfs
corecmd_exec_bin(mount_t)
')
')
- optional_policy(`
- #signal mcstrans on reload
- init_spec_domtrans_script(semanage_t)
- ')
-
- # cjp: need a more general way to handle this:
- ifdef(`enable_mls',`
- # read secadm tmp files
- ',`
- # Handle pp files created in homedir and /tmp
- userdom_read_user_home_content_files(semanage_t)
- userdom_read_user_tmp_files(semanage_t)
- ')
-
- userdom_search_admin_dir(semanage_t)
-
-########################################
+####################################n####
#
-# Setfiles local policy
+# setsebool local policy
#
+seutil_semanage_policy(setsebool_t)
+selinux_set_all_booleans(setsebool_t)
-allow setfiles_t self:capability { dac_override dac_read_search fowner };
-dontaudit setfiles_t self:capability sys_tty_config;
-allow setfiles_t self:fifo_file rw_file_perms;
-
-allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms;
-allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms;
-allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock };
-
-kernel_read_system_state(setfiles_t)
-kernel_relabelfrom_unlabeled_dirs(setfiles_t)
-kernel_relabelfrom_unlabeled_files(setfiles_t)
-kernel_relabelfrom_unlabeled_symlinks(setfiles_t)
-kernel_relabelfrom_unlabeled_pipes(setfiles_t)
-kernel_relabelfrom_unlabeled_sockets(setfiles_t)
-kernel_use_fds(setfiles_t)
-kernel_rw_pipes(setfiles_t)
-kernel_rw_unix_dgram_sockets(setfiles_t)
-kernel_dontaudit_list_all_proc(setfiles_t)
-kernel_dontaudit_list_all_sysctls(setfiles_t)
-
-dev_relabel_all_dev_nodes(setfiles_t)
-
-domain_use_interactive_fds(setfiles_t)
-domain_dontaudit_search_all_domains_state(setfiles_t)
-
-files_read_etc_runtime_files(setfiles_t)
-files_read_etc_files(setfiles_t)
-files_list_all(setfiles_t)
-files_relabel_all_files(setfiles_t)
-files_read_usr_symlinks(setfiles_t)
-
-fs_getattr_xattr_fs(setfiles_t)
-fs_list_all(setfiles_t)
-fs_search_auto_mountpoints(setfiles_t)
-fs_relabelfrom_noxattr_fs(setfiles_t)
+init_dontaudit_use_fds(setsebool_t)
-mls_file_read_all_levels(setfiles_t)
-mls_file_write_all_levels(setfiles_t)
-mls_file_upgrade(setfiles_t)
-mls_file_downgrade(setfiles_t)
+# Bug in semanage
+seutil_domtrans_setfiles(setsebool_t)
+seutil_manage_file_contexts(setsebool_t)
+seutil_manage_default_contexts(setsebool_t)
+seutil_manage_config(setsebool_t)
-selinux_validate_context(setfiles_t)
-selinux_compute_access_vector(setfiles_t)
-selinux_compute_create_context(setfiles_t)
-selinux_compute_relabel_context(setfiles_t)
-selinux_compute_user_contexts(setfiles_t)
-
-term_use_all_ttys(setfiles_t)
-term_use_all_ptys(setfiles_t)
-term_use_unallocated_ttys(setfiles_t)
-
-# this is to satisfy the assertion:
-auth_relabelto_shadow(setfiles_t)
-
-init_use_fds(setfiles_t)
-init_use_script_fds(setfiles_t)
-init_use_script_ptys(setfiles_t)
-init_exec_script_files(setfiles_t)
-
-logging_send_syslog_msg(setfiles_t)
-
-miscfiles_read_localization(setfiles_t)
-
-seutil_libselinux_linked(setfiles_t)
+########################################
+#
+# Setfiles local policy
+#
-userdom_use_all_users_fds(setfiles_t)
-# for config files in a home directory
-userdom_read_user_home_content_files(setfiles_t)
+seutil_setfiles(setfiles_t)
+# During boot in Rawhide
+term_use_generic_ptys(setfiles_t)
-ifdef(`distro_debian',`
- # udev tmpfs is populated with static device nodes
- # and then relabeled afterwards; thus
- # /dev/console has the tmpfs type
- fs_rw_tmpfs_chr_files(setfiles_t)
-')
+seutil_setfiles(setfiles_mac_t)
+allow setfiles_mac_t self:capability2 mac_admin;
+kernel_relabelto_unlabeled(setfiles_mac_t)
-ifdef(`distro_redhat', `
- fs_rw_tmpfs_chr_files(setfiles_t)
- fs_rw_tmpfs_blk_files(setfiles_t)
- fs_relabel_tmpfs_blk_file(setfiles_t)
- fs_relabel_tmpfs_chr_file(setfiles_t)
+optional_policy(`
+ files_dontaudit_write_isid_chr_files(setfiles_mac_t)
+ livecd_dontaudit_leaks(setfiles_mac_t)
+ livecd_rw_tmp_files(setfiles_mac_t)
+ dev_dontaudit_write_all_chr_files(setfiles_mac_t)
')
-ifdef(`distro_ubuntu',`
- optional_policy(`
- unconfined_domain(setfiles_t)
- ')
+optional_policy(`
+ hal_dontaudit_leaks(setfiles_t)
')
ifdef(`hide_broken_symptoms',`